The GDPR is coming – arrange your Readiness Review now
What is it?
The General Data Protection Regulation (GDPR) will introduce the biggest changes to data protection law in Europe in more than 20 years, along with huge fines if you don’t comply.
The GDPR has already been agreed by the EU institutions and we know it will affect every organisation that processes personal data.
The new wider definition of ‘personal data’ covers any information about an identified or identifiable individual, but to identify someone you do not need to know their name. It is enough if you can single them out from a group, by means of an identification number, location data or online identifier (such as an IP address) or something that is specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
Who does it affect?
As a Regulation, it will apply directly in every EU Member State without the need for national legislation. From early 2018, it will apply to all personal data, in whatever format it is held (including structured paper files) and whenever it was collected, so you need to ensure that any new personal data you collect complies with it as soon as possible and decide how you will bring your existing data up to the new standards.
Organisations that process personal data on the instructions of another organisation, e.g. hosting companies, will have a particularly steep learning curve because they will be subject to statutory obligations for the first time.
The GDPR will be a priority for organisations across Europe (and beyond) throughout 2016, but even so many organisations will find that two years is not long enough to do all that needs to be done.
You may be adopting a “wait and see” approach, but what are you waiting for? Don’t lose valuable time!
Data protection compliance is a constant and iterative process. You need to be moving towards compliance and revising your approach in the light of developments, such as how the UK decides to exercise its discretion in certain areas as well as new guidance and cases in the UK and Europe.
So where can you find up to date and reliable information about what you need to do?
There are thousands of pages of guidance on the ICO’s website, but they all relate to the existing regime and the Ministry of Justice has not yet issued any guidance to organisations in the UK on the GDPR. Guidance will eventually be issued by the European data protection authorities, but it could be a long time before they can agree it.
Are you ready?
You could look through the vast amount of information online, but can you tell what is relevant? Much of the information is based on earlier drafts that have since been amended or replaced, or it is written from the perspective of countries with a very different approach to privacy, such as the US.
Your solicitor could help you, but is he or she a specialist in data protection, information security and risk management?
Where we fit in
The simple answer is that you can find out how much you will have to do by arranging a Readiness Review. The GDPR is built on the existing requirements, but many organisations still have some way to go to comply with them. We will assess your current state of readiness against the existing requirements using a RAG rating (Red, Amber and Green).
We will also explain what you will need to do to reach the new standards. For example, there are new data protection principles. You will need to take steps throughout the lifecycle of your data, from the moment you start designing your processes until the processing is completed, to ensure you are complying (the principle of “Data Protection by Design”).
You will also need to show, at every stage of your processing, how you are complying (the principle of “Accountability”).
Once you know what needs to be done, you can start planning how you will move towards compliance and the milestones you will have to reach.
The sooner you start, the easier it will be to comply, so contact us to start that journey.
What we provide
We can help you through the whole process by providing general awareness seminars or more detailed training for those who are more closely involved. We provide pragmatic advice and can draft documents, including notices, policies, procedures, guidelines and Data Protection Impact Assessments.
You may need a Data Breach Incident Management Policy, so you can be confident that you can identify a personal data breach and report it to the ICO within 72 hours, or you may need to revise your existing policy to cover new issues, such as unauthorised reversal of pseudonymisation.
GDPR and IT Security
In relation to IT security, the GDPR recommends the use of pseudonymisation and encryption as well as regular testing of security measures, e.g. Vulnerability Testing, Penetration Testing and Control Testing.
We can also help you with these and guide you through the certification process for Cyber Essentials, ISO/IEC 27001:2013 and PCI-DSS too.